A Model for Investigating Organizational Impact on Information Security Behavior

The increased amount of attacks targeting humans accessing and using computers has made it significantly important to understand human and organizational behavior in attacks and how resilient behavior can be achieved. This paper presents a research model that attempts to understand how organizational and human factors complement each other in shaping information security behavior. The model was developed through an inductive approach, in which content domain experts were interviewed to gain a deeper understanding of the phenomena. Common patterns that were identified in the interviews were then combined with data collected through surveying the literature. Specifically, the research model includes constructs related to the organization and promotion of information security, constructs related to perceptions of information security awareness and the social conditions within an organizational setting, and individual constructs related to an individual’s perceptions of attitude, normative beliefs, and self-efficacy. Implications for continuing research and how the model will be tested empirically are discussed

Countermeasures for Social Engineering-based Malware Installation Attacks

Social engineering exploits vulnerabilities at different layers (i.e. technical, social layer) in an organizational defense structure. It is therefore important to understand how to defend against these attacks using a holistic defense approach including multiple countermeasures. The literature suggests a plethora of countermeasures, little research has however been done to assess their effectiveness in managing social engineering threats. In this paper we attempt to obtain a deeper understanding of how to defend against a type of social engineering attack that attempts to install malware on computers through e-mail or portable media. We explore commonly proposed countermeasures needed to prevent this type of attack, and if any dependencies between them exist. Through a combined method approach of surveying the literature and conducting semi-structured interviews with domain experts we identified a set of countermeasures that provide empirical input for future studies but could potentially also give organizations guidance on how to manage social engineering-based malware installation attacks

Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations

Social engineering is the attack aimed to manipulate dupe to divulge sensitive information or take actions to help the adversary bypass the secure perimeter in front of the information-related resources so that the attacking goals can be completed. Though there are a number of security tools, such as firewalls and intrusion detection systems which are used to protect machines from being attacked, widely accepted mechanism to prevent dupe from fraud is lacking. However, the human element is often the weakest link of an information security chain, especially, in a human-centered environment. In this paper, we reveal that the human psychological weaknesses result in the main vulnerabilities that can be exploited by social engineering attacks. Also, we capture two essential levels, internal characteristics of human nature and external circumstance influences, to explore the root cause of the human weaknesses. We unveil that the internal characteristics of human nature can be converted into weaknesses by external circumstance influences. So, we propose the I-E based model of human weakness for social engineering investigation. Based on this model, we analyzed the vulnerabilities exploited by different techniques of social engineering, and also, we conclude several defense approaches to fix the human weaknesses. This work can help the security researchers to gain insights into social engineering from a different perspective, and in particular, enhance the current and future research on social engineering defense mechanisms